Holy Holes, Gaben! Steam Account Hijack Exploit Fixed

Share this:

Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I’d dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what’s going on. Say, if for five days a security hole had let ne’er-do-wells easily take over people’s accounts. Nope.

Valve have closed the hole, but Steam’s website – including the Store – is down now and I have no idea whether that’s connected, because they aren’t announcing anything about this. Speak up, son.

The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they’d forgotten the password, they could select the option to send a recovery code to the account’s registered e-mail address – but then skip that step by entering nothing where the code should go. They’d then have access to the account, and could change the password to something new. If you knew an account’s name, you could take over it without access to the owner’s e-mail or anything. It was a pretty gaping security hole.

Here’s someone demonstrating how simple the exploit was:

Valve being Valve, they’ve fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:

“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

“We apologize for any inconvenience.”

There’s still no official announcement on Steam, the Steam Twitter account, Steam Support’s Twitter, the Steam Facebook page, and so on. I don’t know what’s going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.

I also hope Valve gets some wake up call because they have been and are still terrible in some segments. I stopped buying things from steam, only bought few things that were under 5$ and have no intentions to buy any more AAA games. I bought Witcher 3 on GoG for example and will continue to avoid Steam like a plague until they get back on the road. People can say what they want but for me Origin is getting slowly but surely better than steam, been using it for few years now and didn’t have any problems, Gametime is a big plus.

What mostly annoys me is the trash games they let in trough Steam Greenlight, one of the most recent is Jim Sterling-s video about 3 minecraft/dayz mash ups clones.

I’ll say. I would not want to be the guy who built the UI for that feature. He must be spending the next month avoiding eye contact with people in the halls.
Hopefully this leads to some reform in Valve in regards to security auditing and penetration testing. They said the issue was first exploited on July 21st, but that feature has been there for a very long time. I wonder if the bug has been there all along or whether it was introduced with a more recent update.

Development isn’t just game development, its software development in general.

They must have people who’s job is software development of its steam platform – and their development process is pretty unorthodox. I believe there was an article elsewhere on RPS (probably from a year or more ago) talking about how the developers of steam work, and it was pretty unique.

I hope the “Worst Company” goes to one of those companies that is actually, y’know, killing people or stealing their homes and shit, instead of being hijacked by a bunch of over-entitled fuckups who think that the quality of their entertainment software is a bigger issue than human lives.

To be fair though, if you have a security vulnerability that a) pretty much anyone can use, and b) users can’t actually protect themselves from, if I’ve understood things correctly (well, save from not telling anyone else what their username is), wouldn’t it be sort of sensible to keep quiet about it?

What about “Ambivalent”? I mean, I really like the idea of a digital distribution platform that actually works like a proper package management system (i.e. auto-patching, cloud saves, etc.), and they’ve been way out front of the other platforms in terms of pushing cross-platform support (especially Linux). But at the same time, I find their pseudo-monopolistic market share to be very concerning, and the fact that (most) games use the platform as a form of DRM (i.e. there are very few games that can be run without having Steam running in the background) makes me uncomfortable about what will happen if/when the platform ever stops being actively supported (which statistics say will probably happen, sooner or later).

So, yeah, I think “ambivalent” is an important addition, and not at all the same as “indifferent” :)

Well it is a fuck up but I wouldn’t call it major. There IS a way to defend against this – Steam Guard. Anyone with steam guard might have ended up with a changed password and that’s it. If you don’t have it enabled….. Why not?

You wouldn’t call giving anyone access to an account just by putting nothing in a password recovery code box major? I guess it’s not Steam sending a man round to slaughter your first born, but I wouldn’t say it’s trivial as these things go.

It’s quite an important fuck-up, but if my information’s accurate, it’s nothing devastating for the user as it doesn’t mean more than a temporary (likely brief for a regular Steam user) account loss. It’s a pretty big deal someone might change your password and access your account, but the hijackers wouldn’t be able to change the e-mail address without access to that as well. Meaning no permanent loss.

It’s only a matter of resetting your password as soon as you detect something fishy. And enabling Steam Guard, which is on by default and still boggles the mind why someone would disable that. The legitimate reasons for that sound quite far-fetched: if your account is linked to a non-existent address, a) why haven’t you tried to remedy that getting in touch with support? It’s a major risk in any case, and b) why did you register a sensitive account to an address you could well lose in the future (i.e. ISP’s)?

So it looks like it’s an exploit which would only affect the deliberately insecure accounts, and only temporarily, at that. Still a major hole, but nothing to remotely drop Steam about. That’d be like abandoning a country purely because several people got robbed in a different state.

It is enabled by default. But some people choose to turn it off for reasons unknown (they don’t want to have to take the 20 seconds to open their e-mails, find the e-mail, and copy-paste the code into the box?).

Actually there probably are pretty reasonable reasons someone would turn it off but it’d be pretty darn rare – if you use steam on a system where for some reason you can’t access your e-mails, or if your e-mail address steam is registered to no longer exists (which I believe you can’t recover because you can’t change your e-mail address for steam without responding to an e-mail to the old address, which is impossible if it no longer exists, or thats how it was several years ago anyway, from personal experience. Maybe steam support can help now but they refused to back then).

Anyway – some people have turned steam guard off. Steam could re-enable it on all their accounts remotely, but this could mess up access for some people who turned it off for legitimate reasons like I mentioned above and I’m sure there are other real reasons people can’t use it. But I imagine it could have saved most of the accounts hacked – although how many accounts that is we are not sure.

You’re right. It slipped my mind what Steam Guard was for a moment and I commented before I remembered, but yeah it’s an extremely easy way to protect yourself and is even on by default (I think?), which pretty much invalidates point b) and thus my entire comment.

Security by Obscurity is never the answer. They should have sent an e-mail out, a major press release, twitted, facbooked – whatever, however that this was a vulnerability and if you don’t already have Steam Guard enabled to go enable it now; at least until this vulnerability was fixed. The fact this was an open vulnerability for 5 days, and they didn’t say anything about it, is completely inexcusable.

No it would not. You do not need to tell users how the exploit works. You merely tell the users that an exploit exists, to check their accounts for suspicious activity and setup SteamGuard for extra security.

After you’ve fixed the bug? No, at that point keeping silent looks like an attempted cover-up.

If you mean before you’ve fixed it, it’s a moot point with a bug that is simultaneously so simple and so catastrophic, because there shouldn’t be enough time between discovering and fixing it to type up a press release.

Consider what would happen if $secretToken was null. Or if $inputToken was not a string, but a boolean or integer. Or if $secretToken was never null, and $inputToken was always a string, but $secretToken was in the form of a hexadecimal string (PHP’s == can do some surprising things). Fortunately some other code coincidentally prevented its exploitation.

Stab in the dark but maybe a stupid error where they said ‘don’t allow you to progress if wrong code entered’ meaning you can progress if that condition isn’t met – i.e. you DON’T enter a WRONG code. And no code isn’t a wrong code?

The issue is probably that “check to see if two strings match” is likely (in languages like C) to cause your program to crash if one of the strings doesn’t exist (we could argue that you shouldn’t be using a language like this for a program like this, but honestly that kind of argument only flies in academia where you’re totally insulated from the real world). So before you do the compare, first you have to check to see if both strings exist, and if one doesn’t you need to do . So the bug is likely that the wasn’t what it should have been, but the fact that the check took place is not at all surprising.

Agreed, this must be the most ridiculous hack ever, or at least the worst i’ve ever heard of. But then, Steam Guard exists and i suppose it can protect you from every such stupidity.
Not really sure how people can hack two-way security, it must be doable, but the prize must be really damn good for them to waste time so… why not use Steam Guard?

So then the question really is, who turns off steam guard? Either very lazy people, or probably a small number of people with real reasons to – such as the e-mail address they registered steam to has been lost.

Its not the victim’s fault that the security breach occured, no. Such security breaches are bad and they are the fault of valve, yes. But there are precautions one can take against it that should be taken.

If you didn’t lock your house and someone broke into it, is it your fault? No, its the person who burgled you. But you SHOULD have locked your house to guard against this.

If you left your keys in your car, and it gets stolen, is it your fault? No. But you could have taken a precaution against it.

And its not right that people go round stealing cars or burgling houses, and they are the criminals, but its also your responsibility to take reasonable precaution, and while it may not be the ideal world to live in, society supports this – your insurance will not pay out if you left your house unlocked, for example. And if there was a news article going ‘Family home burgled while they left it unlocked on a day out’, you know exactly what the comments would be. The family isn’t to blame for crime but they could have taken precautions that they didn’t.

So while it’s not the fault of victims who had their steam accounts hijacked because of Valve’s fuck up, and the people who are to blame are the hackers, not the victims, there was a reasonable precaution they could have taken against this.

Its not the victim’s fault that the security breach occured, no. Such security breaches are bad and they are the fault of valve, yes. But there are precautions one can take against it that should be taken.

If you didn’t lock your house and someone broke into it, is it your fault? No, its the person who burgled you. But you SHOULD have locked your house to guard against this.

If you left your keys in your car, and it gets stolen, is it your fault? No. But you could have taken a precaution against it.

And its not right that people go round stealing cars or burgling houses, and they are the criminals, but its also your responsibility to take reasonable precaution, and while it may not be the ideal world to live in, society supports this – your insurance will not pay out if you left your house unlocked, for example. And if there was a news article going ‘Family home burgled while they left it unlocked on a day out’, you know exactly what the comments would be. The family isn’t to blame for crime but they could have taken precautions that they didn’t.

So while it’s not the fault of victims who had their steam accounts hijacked because of Valve’s fuck up, and the people who are to blame are the hackers, not the victims, there was a reasonable precaution they could have taken against this.

The “house” (in your analogy) was locked. The users had every expectation that they had done the right thing, and were completely safe. They were not being naive, they were not ignoring “reasonable precautions”. The problem is that the locks (provided by Valve) turned out to be completely ineffective if someone inserted a blank key.

Your “unlocked house” analogy really doesn’t work at all. The users had done the right thing; it was only Valve who screwed up.

What I’m wondering is does anyone ever test these types of things. If it involves major changes to something or a security issue, no matter how small. They should have a team that tests it. I don’t care, but test everything in a week’s period before sending out the update to everyone. It seems like none of the staff members are testing their code for any “loop-holes” that could endanger people’s information as well as in-game items. It’s like the moment they get the coding “done” they just send it out.